On Data Leaks and Data Breaches

Data Leaks and Data Breaches

Massive data breaches to some of the largest companies and their systems have made international headlines over the past couple years. These breaches have brought to light the never-ending security threat of sensitive data being either exposed, destroyed or lost. Whether you are a home user, a government agency or a business, data breaches have been proven to be very costly and damaging threats.

What is a Data Breach?

A data breach is the planned or unplanned discharge of protected or restricted data to an unsafe setting. This threat is also known as a data spill or an unintentional information disclosure. Occurrences vary from concentrated attacks by hackers connected with organized crime groups, political militants, or irresponsible dumping of old computers or data storage devices [1].

What is a Data Leak?

A data leak is the unapproved transfer of confidential data from a computer or data storage to unauthorized persons. Data leakage can happen in a variety of ways such as someone memorizing what information they saw, by hiding information, or by physically taking files, reports, disks or tapes [2].

These threats can come to fruition in many ways. Malware attacks, stolen or lost devices, human errors and/or system breakdowns, or disgruntled employees are typically the root causes of these threats. [6.]

Risks of Data Breaches and of Data Leaks

Here are some of the risks that data leaks and data breaches cause [5]:

Loss of confidential data

Loss of patented data

Operational interruptions

Economic losses due to restoration fees

Bad reputation

Loss of videos and photos

Loss of intellectual assets

Disclosure of strategy, tactics, clients, business leads

Loss of competitive edge.

Data Breaches and Data Leaks Statistics

Many businesses have realized that despite their attempts to protect themselves, data breaches are inescapable. For instance, in 2016, there were more than 1.3 billion breached records lost and/or stolen. That is an 86% increase since 2015. Currently, there are nearly 4 million records being stolen or lost every day which equals to be 44 records every second [7].

The top three breaches by type in 2016 were [7]:

Identity theft made up 59% of occurrences

Financial information theft made up 18% of occurrences

Access to accounts made up 11% of the breaches.

Breaches also place a severe financial burden on the victims. According to the US Department of Justice (DOJ) an estimated 17.6 million people fall victim to identity fraud each year. The DOJ stated that in 2014, victims lost a combined average loss of $1,343. The total losses added up to a staggering $15.4 billion [8].

Consequences of Data Breaches and of Data Leaks

Data leaks and breaches have devastating consequences for individuals, governments and businesses alike. A recent study found that 2016 was the year that malware attacks targeted more individual users in addition to businesses. A nuisance breach can expose embarrassing personal information about an individual that could potentially hurt their personal or professional career. Breaches to dating sites such as Adult FriendFinder and Ashely Madison have exposed the personal lives of millions of individuals including many high-profile celebrities and businessmen [7].

Additionally, hackers are using entertainment and social sites to steal users account data and use the information as an access point. One good example of this is how hackers used only illegal obtained phone numbers to steal millions in Bitcoin [7].

Examples of Data Breaches in Major Organizations

Data breaches are happening at an alarming rate and the costs and number of people affected are astronomical. The following are some of the more well-known incidents of recent data leaks and breaches:

In 2013, the United States experienced a huge data breach when Target disclosed the theft of 110 million credit and debit card numbers. The company’s CEO eventually resigned in May 2014 and reported the total costs associated with the breach to be $162 million. [4]

In March 2014, Sally Beauty, a retail beauty supply chain, had over 280,000 of their customer’s card information stolen. The stolen data was then sold on the black market by hackers. [3]

In March 2008, Heartland Payment Systems, a payment and credit management company, had 134 million customers’ credit cards stolen when spyware was installed on its information systems. [4]

In December 2006, TJX Companies Inc. was attacked by hackers and stole 94 million debit and credit card information. The breach was possible because TJX’s infrastructure was not defended by any firewalls [4]

In March 2011, Epsilon, a retail store and financial group, was targeted by various phishing attacks and had millions of their customers’ personal emails and names leaked. It was estimated to cost the company $4 billion [4]

In April 2011, Sony’s PlayStation Network had 77 million of their players’ accounts attacked, 12 million of which contained unencrypted card numbers. The thieves were able to steal everything from credit card numbers to customers’ full names and address. Their site experienced a downtime of one month and cost the company millions [4]

In September 2014, Home Depot experienced the breach of 56 million customers’ debit and credit card information after admitting their system was infiltrated with malware. Later in February, Home Depot said the leak cost them $33 million [4]

In February 2015, Anthem, previously known as WellPoint the second-biggest health insurance company in the U.S., was hacked and confidential data for 78.8 million customers was stolen. The financial loss for the attack was estimated to surpass $100 million [4]

In May 2017, a data breach at Bronx-Lebanon Hospital Center in New York City occurred and exposed tens of thousands of healthcare records. The breach happened due to a mis-configuration of the open source rsync software used to backup data to a cloud provider. The leaked data contained confidential patient information such as personal healthcare records and personal health information (PHI) [9]

Most recently, in May 2017, the ransomware known as WannaCry attacked hundreds of thousands of computers in a distributed international attack. The hackers were seeking ransom payments in the amount of $300 Bitcoin from victims to retrieve their data [4]

In 2016, OPM discloses that millions of current and former US government employees were stolen[15]. This not only threatens their identities but their lives.

Political Data Breaches and Data Leaks

In addition to organizations and individuals, data leaks and breaches have also severely impacted political elections and campaigns. The first well-known breach occurred in 2016 during the U.S. presidential campaign when the Democratic National Committee (DNC) was hacked and suffered a major breach. A criminal enterprise known as Guccifer 2.0 leaked files from the DNC’s servers. The files were released to Wikileaks and major news organizations around the world. The leak led to the resignation of DNC Chair Debbie Wasserman Schultz and may be one of the factors that resulted in presidential elect Hilary Clinton’s loss. Eventually, multiple U.S. intelligence agencies concluded that two Russian intelligence groups were behind the hack [11]. As of this writing news is coming from more intelligence agencies describing that voting systems in 39 US states have been targeted by the Russians [13] [14]

A second notorious data leak happened in 2017, two days before the French presidential election. Hackers breached the email of candidate Emmanuel Macron and leaked nine gigabytes of emails to the public in an attempt to support Marie LePen’s candidacy. Once again, U.S. intelligence believe Russian cyber criminals are to blame. Although they have publicly brought forth evidence of the hack, NSA director Michael Rogers testified to the U.S. Senate that the Russians hacked the French election infrastructure [12].

Government Response to Data Leaks and Data Breaches

With data leaks and breaches becoming more and more of a threat, no sector has remained unscathed. Since law enforcement, government agencies, hospitals businesses and schools have all been hit by ransomware, the government has been making a concentrated effort to fight cyber crime [5]. One way they are doing so is by educating individuals and organizations on what to do in the event of a data breach. TheFBI recommends that those attacked by ransomware do not pay the ransom because there’s no assurance that the business will get their data restored.Furthermore, the FBI also states that paying the ransom encourages other hackers to join the criminal activity [5].

The FBI encourages businesses to concentrate on three areas in order to evade/prevent malware attacks that will contribute to data breaches and leaks:

Educate employees and use strong security measures [5]

Have a concrete business continuity plan [5]

Continually observe for breaches and loss [6].

Because data breaches and leaks due to malware attacks will continue to be a threat, the FBI has pledged to maintain collaborative efforts with its partners in the international, local, federal and private divisions to fight the threats [5].

The following are additional recommendations to organizations following a breach or leak [6]:

Confirm the leak/breach by categorizing what and how the data was released

After confirmation has occurred, dedicate an upper-level manager to conduct the investigation

Gather a team of employees from various departments to be in the incidence response team

Establish the reach and structure of the breach

Inform the customers/clients affected

Alert the authorities if criminal activity was involved

Decide on if the level of reporting to the impacted customers is suitable

Examine analyses and response reports and documentation.

What Laws are in Place to Prevent Data Breaches and Data Leaks?

The Personal Data Protection and Breach Accountability Act of 2014 was introduced to the Senate in February of that year. The purpose of the law helped increase sanctions for identity theft and data privacy violations and made compliance requirements for businesses regarding the access, use and protection of confidential data [10].

The act consists of four parts: Titles I, II, III and IV. Title I is called Enhancing Punishment for Identity Theft and Other Violations of Data Privacy and Security: It allows for a person who is charged with deliberately hiding a data breach that contains confidential data and results in emotional and/or financial harm to any persons involved to have a fine and/or five years in prison imposed upon them. Furthermore, it makes it illegal to service providers to purposely monitor and market information and/or transmit internet searches without permission from the user. The fine for a violation can be up to $500,000 unless a clear pattern of non-compliance is established, in which case it can be increased up to $1 million [10].

Title II is called Privacy and Security of Sensitive Personally Identifiable Information: Privacy and Security of Sensitive Personally Identifiable Information: this makes businesses who possess, gather, store or dispose of confidential data on 10,000 or more U.S. citizens to be subjected to data privacy requirements and security standards. It ensures that businesses who fall into this Act to setup a program that 1. Protects secure and private identifying information, 2. Shields against any expected weaknesses to the security of the data; 3. Guards against unlawful access to data that could create a substantial threat of damage [10].

Title III: Access to and Use of Commercial Data: Requires the Administrator of the General Services Administration (GSA) to assess: 1. the privacy of the data and the compliance of the brokers; 2. How much damage any breaches cause the networks and databases; 3. The response of the brokers to any breaches [10].

Lawsuits/Indictments

FBI agents are using both conventional and technological investigative methods to combat the data breach and leakage epidemic. In January 2014, four individuals with Russian ties participated in a data breach of more than 500 million Yahoo accounts. The criminals then used the stolen data to access accounts at Google, Yahoo, and other web service providers. After a three-year FBI investigation, charges were brought against Russian Federal Security Service officers Dmitry Dokuchaev and Igor Sushchin, as well as criminal hackers Alexey Belan and Karim Baratov, on February 28, 2017. A collaboration between many entities such as the U.S. government, foreign allies, and private enterprises was key to catching and charging the criminals.

Conclusion

Data leaks and breaches have proven to be a legitimate threat to society. Not only have breaches and leaks dramatically increased the price to do business over the last decade, they have ruined the reputations of countless individuals and organizations and have destroyed the careers of businessmen and politicians. They have proven to threaten democracy itself with by causing confusion and mass chaos and the attacks have also threatened our national security. These threats go far beyond being just an IT problem and/or a slight nuisance. Businesses and users must recognize the importance of proper security and data protection as a means to secure their invaluable information.